#!/bin/sh -eux

if ! groups | grep -q softhsm; then
    echo "User $(whoami) is not in 'softhsm' group. Fixing permissions..."
    sudo adduser $(whoami) softhsm
    exec newgrp -c "$0" softhsm
fi

dir=$(mktemp -d)

mkdir -p "$dir/keys"

cd "$dir/keys"

/usr/share/libexec/imx-code-signing-tool/pki_scripts/hab4_pki_tree.sh -existing-ca n -kt ecc -kl p256 -num-srk 1 -duration 100 -srk-ca y

cd "$dir/crts"

srktool --h 4 -t SRK_1_2_3_4_table.bin -e SRK_1_2_3_4_fuse.bin -d sha256 -c SRK1_sha256_secp256r1_v3_ca_crt.pem

cd "$dir"

pkcs11_module="/usr/lib/softhsm/libsofthsm2.so"
token="softhsmcst"
pin="1234"
so_pin="5678"
key_pass=$(head -n 1 "${dir}/keys/key_pass.txt")

softhsm2-util --init-token --slot 0 --label "$token" --pin "$pin" --so-pin "$so_pin"
openssl ec -in "${dir}/keys/CSF1_1_sha256_secp256r1_v3_usr_key.pem" -out "${dir}/keys/CSF1_1_sha256_secp256r1_v3_usr_key.decrypted.pem" -passin pass:"$key_pass"
openssl ec -in "${dir}/keys/IMG1_1_sha256_secp256r1_v3_usr_key.pem" -out "${dir}/keys/IMG1_1_sha256_secp256r1_v3_usr_key.decrypted.pem" -passin pass:"$key_pass"

pkcs11-tool --module $pkcs11_module -l --write-object "${dir}/keys/CSF1_1_sha256_secp256r1_v3_usr_key.decrypted.pem" --type privkey --usage-sign --label CSF_1_1 --pin "$pin"
pkcs11-tool --module $pkcs11_module -l --write-object "${dir}/keys/IMG1_1_sha256_secp256r1_v3_usr_key.decrypted.pem" --type privkey --usage-sign --label IMG_1_1 --pin "$pin"
pkcs11-tool --module $pkcs11_module -l --write-object "${dir}/crts/CSF1_1_sha256_secp256r1_v3_usr_crt.pem" --type cert --label CSF_1_1 --pin "$pin"
pkcs11-tool --module $pkcs11_module -l --write-object "${dir}/crts/IMG1_1_sha256_secp256r1_v3_usr_crt.pem" --type cert --label IMG_1_1 --pin "$pin"

cat > hab4.csf <<EOF
[Header]
  Version = 4.0
  Hash Algorithm = sha256
  Engine = ANY
  Engine Configuration = 0
  Certificate Format = X509
  Signature Format = CMS

[Install SRK]
  File = "crts/SRK_1_2_3_4_table.bin"
  Source Index = 0

[Install CSFK]
  File = "pkcs11:token=${token};object=CSF_1_1;pin-value=${pin}"

[Authenticate CSF]

[Install Key]
  Verification Index = 0
  Target Index = 2
  File = "pkcs11:token=${token};object=IMG_1_1;pin-value=${pin}"
EOF

cst -i hab4.csf -o csf.bin -b pkcs11

test -f csf.bin

cat > expected-csf.log <<EOF
SRK Table file created

CSF Certificate Detected

IMG Certificate Detected

Certificate file created

Certificate file created

Signature file created

EOF

hab_csf_parser -c csf.bin > csf.log

cmp -l csf.log expected-csf.log

softhsm2-util --delete-token --token "$token"
